Fixes possible XSS vector.

author Brett Profitt <brett.profitt@gmail.com>

Mon, 14 May 2012 18:50:40 +0000 (11:50 -0700)

committer Brett Profitt <brett.profitt@gmail.com>

Mon, 14 May 2012 18:50:40 +0000 (11:50 -0700)
author Brett Profitt <brett.profitt@gmail.com>
Mon, 14 May 2012 18:50:40 +0000 (11:50 -0700)
committer Brett Profitt <brett.profitt@gmail.com>
Mon, 14 May 2012 18:50:40 +0000 (11:50 -0700)
diff --git a/engine/lib/views.php b/engine/lib/views.php

index ca0ce7196116d1f8ae35fd2b8afc32383d95482d..1b013be6f5bd7799cc95d0d6e547f88e2bbcd887 100644 (file)
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -103,7 +103,10 @@ function elgg_get_viewtype() {
  
         $viewtype = get_input('view', NULL);
         if ($viewtype) {
-               return $viewtype;
+               // only word characters allowed.
+               if (!preg_match('[\W]', $viewtype)) {
+                       return $viewtype;
+               }
         }
  
         if (isset($CONFIG->view) && !empty($CONFIG->view)) {
author	Brett Profitt <brett.profitt@gmail.com>
	Mon, 14 May 2012 18:50:40 +0000 (11:50 -0700)
committer	Brett Profitt <brett.profitt@gmail.com>
	Mon, 14 May 2012 18:50:40 +0000 (11:50 -0700)